From f3628793a26e1d9613c48ae631b7df150d9ec973 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Fri, 8 Mar 2024 14:39:06 +0100 Subject: [PATCH] service-mesh: make clientAuth ingress configurable --- deployments/emojivoto-sm-ingress/web.yml | 22 +++++- service-mesh/config.go | 88 ++++++++++++++++++------ service-mesh/iptables.go | 14 +++- service-mesh/main.go | 15 ++-- 4 files changed, 109 insertions(+), 30 deletions(-) diff --git a/deployments/emojivoto-sm-ingress/web.yml b/deployments/emojivoto-sm-ingress/web.yml index c6beba1bcb..aae8ed1225 100644 --- a/deployments/emojivoto-sm-ingress/web.yml +++ b/deployments/emojivoto-sm-ingress/web.yml @@ -35,15 +35,31 @@ spec: volumeMounts: - name: tls-certs mountPath: /tls-config + - name: sidecar + image: "ghcr.io/edgelesssys/contrast/service-mesh-proxy:latest" + restartPolicy: Always + volumeMounts: + - name: tls-certs + mountPath: /tls-config + env: + - name: EDG_INGRESS_PROXY_CONFIG + value: "web#8080#false" + - name: EDG_EGRESS_PROXY_CONFIG + value: "emoji#127.137.0.1:8081#emoji-svc:8080##voting#127.137.0.2:8081#voting-svc:8080" + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN serviceAccountName: web containers: - env: - name: WEB_PORT value: "8080" - name: EMOJISVC_HOST - value: emoji-svc:8080 + value: 127.137.0.1:8081 - name: VOTINGSVC_HOST - value: voting-svc:8080 + value: 127.137.0.2:8081 - name: INDEX_BUNDLE value: dist/index_bundle.js - name: EDG_CERT_PATH @@ -54,7 +70,7 @@ spec: value: /tls-config/key.pem - name: EDG_DISABLE_CLIENT_AUTH value: "true" - image: ghcr.io/3u13r/emojivoto-web:coco-1 + image: docker.l5d.io/buoyantio/emojivoto-web:v11 name: web-svc ports: - containerPort: 8080 diff --git a/service-mesh/config.go b/service-mesh/config.go index 2552891515..7d65c2f282 100644 --- a/service-mesh/config.go +++ b/service-mesh/config.go @@ -23,15 +23,23 @@ import ( var loopbackCIDR = netip.MustParsePrefix("127.0.0.1/8") // ProxyConfig represents the configuration for the proxy. -type ProxyConfig []configEntry - -type configEntry struct { +type ProxyConfig struct { + egress []egressConfigEntry + ingress []ingressConfigEntry +} +type egressConfigEntry struct { name string + clusterName string listenAddr netip.Addr listenPort uint16 remoteDomain string remotePort uint16 } +type ingressConfigEntry struct { + name string + listenPort uint16 + disableTLS bool +} // ParseProxyConfig parses the proxy configuration from the given string. // The configuration is expected to be in the following format: @@ -41,8 +49,12 @@ type configEntry struct { // Example: // // emoji#127.137.0.1:8081#emoji-svc:8080##voting#127.137.0.2:8081#voting-svc:8080 -func ParseProxyConfig(data string) (ProxyConfig, error) { - entries := strings.Split(data, "##") +func ParseProxyConfig(ingressConfig, egressConfig string) (ProxyConfig, error) { + if ingressConfig == "" && egressConfig == "" { + return ProxyConfig{}, nil + } + + entries := strings.Split(egressConfig, "##") var cfg ProxyConfig for _, entry := range entries { if entry == "" { @@ -50,33 +62,59 @@ func ParseProxyConfig(data string) (ProxyConfig, error) { } parts := strings.Split(entry, "#") if len(parts) != 3 { - return nil, fmt.Errorf("invalid entry: %s", entry) + return ProxyConfig{}, fmt.Errorf("invalid entry: %s", entry) } listenAddrPort, err := netip.ParseAddrPort(parts[1]) if err != nil { - return nil, fmt.Errorf("invalid listen address: %s", parts[1]) + return ProxyConfig{}, fmt.Errorf("invalid listen address: %s", parts[1]) } if !loopbackCIDR.Contains(listenAddrPort.Addr()) { - return nil, fmt.Errorf("listen address %s is not in local CIDR %s", listenAddrPort.Addr(), loopbackCIDR) + return ProxyConfig{}, fmt.Errorf("listen address %s is not in local CIDR %s", listenAddrPort.Addr(), loopbackCIDR) } remoteDomain := parts[2] remoteDomain, remotePort, err := net.SplitHostPort(remoteDomain) if err != nil { - return nil, fmt.Errorf("invalid remote domain: %s", remoteDomain) + return ProxyConfig{}, fmt.Errorf("invalid remote domain: %s", remoteDomain) } remotePortInt, err := strconv.Atoi(remotePort) if err != nil { - return nil, fmt.Errorf("invalid remote port: %s", remotePort) + return ProxyConfig{}, fmt.Errorf("invalid remote port: %s", remotePort) } - cfg = append(cfg, configEntry{ + cfg.egress = append(cfg.egress, egressConfigEntry{ name: parts[0], + clusterName: parts[0], listenAddr: listenAddrPort.Addr(), listenPort: listenAddrPort.Port(), remotePort: uint16(remotePortInt), remoteDomain: remoteDomain, }) } + + for _, entry := range strings.Split(ingressConfig, "##") { + if entry == "" { + continue + } + parts := strings.Split(entry, "#") + if len(parts) != 3 { + return ProxyConfig{}, fmt.Errorf("invalid entry: %s", entry) + } + listenPort, err := strconv.Atoi(parts[1]) + if err != nil { + return ProxyConfig{}, fmt.Errorf("invalid listen port: %s", parts[1]) + } + disableTLS, err := strconv.ParseBool(parts[2]) + if err != nil { + return ProxyConfig{}, fmt.Errorf("invalid disable TLS: %s", parts[2]) + } + cfg.ingress = append(cfg.ingress, ingressConfigEntry{ + name: parts[0], + listenPort: uint16(listenPort), + disableTLS: disableTLS, + }) + + } + return cfg, nil } @@ -86,9 +124,11 @@ func (c ProxyConfig) ToEnvoyConfig() ([]byte, error) { config := &envoyConfigBootstrapV3.Bootstrap{ StaticResources: &envoyConfigBootstrapV3.Bootstrap_StaticResources{}, } - listeners := make([]*envoyConfigListenerV3.Listener, 0, len(c)) - clusters := make([]*envoyConfigClusterV3.Cluster, 0, len(c)) - for _, entry := range c { + listeners := make([]*envoyConfigListenerV3.Listener, 0) + clusters := make([]*envoyConfigClusterV3.Cluster, 0) + + // Create listeners and clusters for egress traffic. + for _, entry := range c.egress { listener, err := listener(entry) if err != nil { return nil, err @@ -106,6 +146,10 @@ func (c ProxyConfig) ToEnvoyConfig() ([]byte, error) { if err != nil { return nil, err } + ingrListenerNoClientAuth, err := ingressListener("ingressWithoutClientAuth", 15007, false) + if err != nil { + return nil, err + } ingressCluster := &envoyConfigClusterV3.Cluster{ Name: "ingress", @@ -115,6 +159,7 @@ func (c ProxyConfig) ToEnvoyConfig() ([]byte, error) { } listeners = append(listeners, ingrListenerClientAuth) + listeners = append(listeners, ingrListenerNoClientAuth) clusters = append(clusters, ingressCluster) config.StaticResources.Listeners = listeners @@ -132,11 +177,11 @@ func (c ProxyConfig) ToEnvoyConfig() ([]byte, error) { return configBytes, nil } -func listener(entry configEntry) (*envoyConfigListenerV3.Listener, error) { +func listener(entry egressConfigEntry) (*envoyConfigListenerV3.Listener, error) { proxy := &envoyConfigTCPProxyV3.TcpProxy{ StatPrefix: entry.name, ClusterSpecifier: &envoyConfigTCPProxyV3.TcpProxy_Cluster{ - Cluster: entry.name, + Cluster: entry.clusterName, }, } @@ -172,7 +217,7 @@ func listener(entry configEntry) (*envoyConfigListenerV3.Listener, error) { }, nil } -func cluster(entry configEntry) (*envoyConfigClusterV3.Cluster, error) { +func cluster(entry egressConfigEntry) (*envoyConfigClusterV3.Cluster, error) { socket, err := upstreamTLSTransportSocket() if err != nil { return nil, err @@ -214,10 +259,11 @@ func cluster(entry configEntry) (*envoyConfigClusterV3.Cluster, error) { } func ingressListener(name string, listenPort uint16, requireClientCertificate bool) (*envoyConfigListenerV3.Listener, error) { - ingressListener, err := listener(configEntry{ - name: name, - listenAddr: netip.MustParseAddr("0.0.0.0"), - listenPort: listenPort, + ingressListener, err := listener(egressConfigEntry{ + name: name, + clusterName: "ingress", + listenAddr: netip.MustParseAddr("0.0.0.0"), + listenPort: listenPort, }) if err != nil { return nil, err diff --git a/service-mesh/iptables.go b/service-mesh/iptables.go index fb9e298579..b0c9002d70 100644 --- a/service-mesh/iptables.go +++ b/service-mesh/iptables.go @@ -15,7 +15,7 @@ const EnvoyIngressPort = 15006 const EnvoyIngressPortNoClientCert = 15007 // IngressIPTableRules sets up the iptables rules for the ingress proxy. -func IngressIPTableRules() error { +func IngressIPTableRules(ingressEntries []ingressConfigEntry) error { // Create missing `/run/xtables.lock` file. if err := os.Mkdir("/run", 0o755); err != nil { if !os.IsExist(err) { @@ -67,6 +67,18 @@ func IngressIPTableRules() error { return fmt.Errorf("failed to append EDG_IN_REDIRECT chain to EDG_INBOUND chain: %w", err) } + for _, entry := range ingressEntries { + if entry.disableTLS { + if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "RETURN"); err != nil { + return fmt.Errorf("failed to append dport exception to EDG_IN_REDIRECT chain to disable TLS: %w", err) + } + } else { + if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPortNoClientCert)); err != nil { + return fmt.Errorf("failed to append dport exception to EDG_IN_REDIRECT chain to disable client auth: %w", err) + } + } + } + // Route all traffic not destined for 127.0.0.1 to the envoy proxy on its // port that requires client authentication. if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPort)); err != nil { diff --git a/service-mesh/main.go b/service-mesh/main.go index 5296e26c1c..8c0f02d888 100644 --- a/service-mesh/main.go +++ b/service-mesh/main.go @@ -9,8 +9,9 @@ import ( ) const ( - proxyConfigEnvVar = "EDG_PROXY_CONFIG" - envoyConfigFile = "/envoy-config.yml" + egressProxyConfigEnvVar = "EDG_EGRESS_PROXY_CONFIG" + ingressProxyConfigEnvVar = "EDG_INGRESS_PROXY_CONFIG" + envoyConfigFile = "/envoy-config.yml" ) var version = "0.0.0-dev" @@ -25,9 +26,13 @@ func main() { func run() (retErr error) { log.Printf("service-mesh version %s\n", version) - proxyConfig := os.Getenv(proxyConfigEnvVar) + egressProxyConfig := os.Getenv(egressProxyConfigEnvVar) + log.Println("Ingress Proxy configuration:", egressProxyConfig) - pconfig, err := ParseProxyConfig(proxyConfig) + ingressProxyConfig := os.Getenv(ingressProxyConfigEnvVar) + log.Println("Egress Proxy configuration:", ingressProxyConfig) + + pconfig, err := ParseProxyConfig(ingressProxyConfig, egressProxyConfig) if err != nil { return err } @@ -43,7 +48,7 @@ func run() (retErr error) { return err } - if err := IngressIPTableRules(); err != nil { + if err := IngressIPTableRules(pconfig.ingress); err != nil { return fmt.Errorf("failed to set up iptables rules: %w", err) }